× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. PCTECH
  3. July 2006

Spam blocking

Hi Jim and the gang -


Ken - would you consider sharing exactly how you achieve such spam blocking
perfection??


Summary:

1. I run my own router.

2. I run my own server.
3. For all practical purposes I'm the only user on the server and none of the email makes me any money so I can afford to have a heavy hand with the blocking.
I block most of the world at the router so none of the spam originating out of China, Korea, Spain, Brazil, Argentina, etc. has any chance of getting through to me. For the purposes of my incoming email those parts of the world don't exist.
Likewise of I block huge chunks of U.S. and Canada cable and telco provider netblocks because the people in those netblocks should not be trying to send email directly, they should be sending it through their ISP's mail servers.
See http://www.kensims.net/blocks/blocklrt.shtml for my router blocks. The IP addresses in the netblocks in the "All protocols and ports:" and "TCP port 25 inbound (email):" sections cannot get past my router to my mail server. 

On the server itself, the email addresses fall into three classifications:

1. Role accounts - of which I have only postmaster and abuse.
2. Private email addresses - email addresses of which each is given only to a small group of individuals or to a single company or organization (or in one case a small group of related organizations) or to a single small restricted membership email list.
3. Public email addresses - email address of which each is used for something where it is publicly visible - the contact address on my website, the address I use for newsgroup postings, addresses used for mail listings with a large membership, such as the midrange.com lists, and particularly the email address I use for domain registrations.
For incoming connections that get past the router, on the mail server I apply checks as follows:
1. If the host name in the EHLO/HELO command is one of my hosts (except the one that is allowed to send email), the email is rejected, regardless of who it is from or to. No legitimate mail server is going to pretend to be me.
2. If the host name in the EHLO/HELO command is invalid (invalid characters, etc.), the email is rejected, regardless of who it is from or to.
3. If the host name in the EHLO/HELO command is not a fully qualified domain name, the email is rejected, regardless of who it is from or to. This one blocks a lot of spam from zombied systems that identify as localhost or friend or something like that.
4. I reject all email from a few senders regardless of who the email is to. See the bottom section of http://www.kensims.net/blocks/blockles.shtml. This is based on the envelope sender in the SMTP "MAIL FROM" command, not anything in the email headers.
5. I reject anything where the recipient email address does not have a fully qualified domain name. This is based on the envelope recipient on the SMTP "RCPT TO" command, not anything in the email headers.
6. I accept email where the envelope recipient is a role account and or private email address. Emails to those addresses skip the rest of the checks in this list.
7. I reject email from envelope senders in the top section of http://www.kensims.net/blocks/blockles.shtml.
8. I reject email from IP addresses listed at http://www.kensims.net/blocks/blocklei.shtml. The result is that these netblocks can send email to my role accounts and my private email addresses, but not to my public email addresses.
No spammer should ever get any of my private email addresses. If they do, I immediately change the address, even if the email was not delivered because it was attempted with bad EHLO/HELO host name or something.
Likewise, if any of my public email addresses starts getting a lot of spam attempts, regardless of whether any are actually delivered, it will be changed. My domain registration email address gets changed about once a year. My midrange.com email address gets changed about every two years.
9. I reject email where the envelope sender does not have a fully qualified domain name.
10. I reject email where the envelope recipient is not a valid email address on my server. There are different error messages if it is a role account that I don't have or an email address that is no longer valid because it was recently changed or it is just a bad address. 

11. I accept outgoing email from my own PC.  This skips the next step.
12. I reject email to domains other than my own. This keeps my system from being an "open relay".
With these checks I'm sure that I do block some email that is not spam. But just because it is not spam doesn't mean that I want it. For example, if someone on this list were to email me directly with a question about this email and it were to be blocked, that wouldn't bother me. They should be asking the question through the list so that everyone can benefit from the discussion. And I make sure that I don't block David's netblock so that the emails of his lists can always get through.
Of the emails blocked at the server (not the router), so I can see the envelope sender and recipient, only twice that I can recall have I removed the block and emailed the sender and asked them to resend their email. On the others where I didn't do that, none of them emailed a role account requesting to be whitelisted. If it wasn't important enough for the sender to contact me through a role account, it wasn't important enough for me to be concerned about missing it.
In fact only once have I received a request to remove one of my blocks. That was a sender block. No email had been blocked, but the company found the block through a search engine and didn't want their name on my block page. I had blocked them because it was a company offering anti-spam services that had spammed the news.admin.net-abuse.email newsgroup. The person who contacted me lied about the newsgroup spam. The block is still in place on my server and still listed on the webpage.
I check the mail server logs daily. Spam attempts from a netblock that isn't already blocked will result in a block, either on the server or the router. My policy is "one strike and you're out" or actually "one strike and you're in [my blocklists]". Repeated spam attempts from a netblock blocked on the server *will* result in a router block unless there is some specific reason not to. 

After this long, rambling email, aren't you sorry you asked? <GGG>

Ken
http://www.kensims.net/
Opinions expressed are my own and do not necessarily represent the views
of my employer or anyone in their right mind.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.